The hacking group suspected of cyberattacks against two giant casino operators has quickly made a name for itself for its skills in social engineering, such as tricking someone to gain access to a computer system or sensitive information.
Known as Scattered Spider and UNC3944, the group caused a web of chaos this week after launching a cyberattack at MGM Resorts International, according to five people familiar with the incident. The cyberattack resulted in downed websites and slot machines and staffers to check people into hotel rooms manually.
The same group was behind an earlier attack on Caesars Entertainment Inc., according to the people. Caesars paid tens of millions of dollars to the hackers who broke into the company’s systems and threatened to release data, according to two of the people.
On Thursday, Caesars said in a regulatory filing that it discovered suspicious activity in its information technology network “resulting from a social engineering attack on an outsourced IT support vendor used by the company.” The identity of the vendor wasn’t immediately known. “We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result,” Caesars said in the filing.
It’s still not clear how the attackers broke into MGM, which has declined to comment on specifics of the incident.
Read more: MGM, Caesars Hacked by ‘Scattered Spider’ in Span of Weeks
They are “incredibly effective social engineers,” said Charles Carmakal, chief technology officer for Mandiant Inc., part of Google Cloud, which has investigated the group in depth. He described the hacking group, which Mandiant first came across in May 2022, as “one of the most prevalent and aggressive threat actors impacting organizations in the United States today,”
Members of Scattered Spider are based in the US and UK, some as young as 19 years old, according to four cybersecurity researchers familiar with the group.
The hackers specialize in targeting call centers or IT help desks, impersonating legitimate customers or employees to trick support staff into coughing up access to accounts, according to cybersecurity experts. They are then able to burrow deeper into a corporate network and attempt to gain administrator privileges, which gives them broad access to the network.
Reached via the social media app Telegram, a person who identified as a member of Scattered Spider said the group numbers fewer than 10 people, mostly friends, and has been involved in hacking since they were 11 years old.
The person said the group picks targets carefully, focusing on companies valued from $15 billion to $45 billion, and that they don’t attack hospitals, oil refineries and power plants. The group’s motive is to get rich quickly and get away with it, the person said.
Bloomberg News couldn’t independently verify the person’s identity or affiliation with the hacking group. However, three cybersecurity experts assessed that the Telegram user was linked to the hacking group.
Read more: Useless Slots, Cash Bars Annoy Casino Goers After MGM Hack
Scattered Spider has previously deployed a type of ransomware known as ALPHV to extort victims, according to Carmakal. Ransomware is a type of malware that locks up a victim’s files, and the hackers then demand payment to unlock them.
ALPHV is also the name of a hacking group that developed the ransomware, which it leases out to others — known as affiliates — for a fee. ALPHV was first detected in November 2021. ALPHV uses a programming language named Rust, which helps it evade conventional cybersecurity detection measures and makes it harder for incident responders to reverse engineer the attackers’ malware code, according to Microsoft Threat Intelligence.
The FBI said in April 2022 that ALPHV ransomware had been used in at least 60 attacks worldwide.
ALPHV is likely Russia-based, said Brett Callow, a threat analyst at the cybersecurity company Emsisoft. He is among experts who believe the group evolved from earlier Russian hacking outfits that disbanded following a spate of high-profile ransomware attacks, including the 2021 ransomware attack on Colonial Pipeline Co.
In a statement posted on the group’s dark web page on Thursday, ALPHV said that it deployed ransomware on MGM servers after representatives from the company didn’t respond to its ransom request. The group deployed ransomware on Sept. 11, the statement said, adding that they still have access to some of MGM’s infrastructure. Claims that teenagers from the US and UK broke into MGM were just rumors, according to the statement.
A MGM spokesperson didn’t immediately respond to a request for comment on ALPHV’s claims.
Alex Waintraub, an incident responder at the cybersecurity company Cygnvs Inc. said he has directly negotiated about 25 times with ALPHV since 2021 on behalf of hacked companies that call in cyber insurance to help.
The group’s ransom demands are all over the map, he said. “There is no pattern,” Waintraub said, adding that he has been able to talk down ransom demands by 70%.
The exact nature of the relationship between Scattered Spider and ALPHV isn’t known.
However, the representative of Scattered Spider said the groups have worked together multiple times and that Scattered Spider was grateful for ALPHV’s help in attacks on some companies. The person boasted that Scattered Spider and ALPHV were just getting started.
Author: Katrina Manson, William Turton and Jamie Tarabay